A method and system for maintaining network activity data for intrusion detection includes storing data representative of network activity in datasets. The datasets include root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset. child datasets are identified through their root datasets.
|
1. A method for maintaining network activity data for an intrusion detection system, comprising:
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset; and
identifying a child dataset of a root dataset through the root dataset.
39. A system for maintaining data on network activity for an intrusion detection system, comprising:
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset; and
means for identifying a child dataset of a root dataset through the root dataset.
21. An intrusion detection system, comprising:
logic encoded in computer-readable media; and
the logic operable to store data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination being a subset of, and less granular than, a root keyset and further operable to identify a child dataset for a root dataset through the root dataset.
50. A method for maintaining network activity data for an intrusion detection system, comprising:
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset;
identifying a child dataset of a root dataset through the root dataset; and
retrieving data for processing a traffic signature by searching a data storage system including the datasets for an existing root dataset having a root keyset corresponding to the traffic signature and identifying all child datasets, sibling root datasets, and child datasets of the sibling root datasets through the root dataset.
53. A system for maintaining data on network activity for an intrusion detection system, comprising:
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset;
means for identifying a child dataset of a root dataset through the root dataset;
means for retrieving data for processing of a traffic signature by searching a data storage system for an existing root dataset having a root keyset corresponding to the traffic signature; and
means for identifying all child datasets, sibling root datasets, and child datasets of the root dataset through the root dataset.
49. A method for maintaining network activity data for an intrusion detection system, comprising:
storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset;
identifying a child dataset of a root dataset through the root dataset;
receiving a traffic signature not having a root dataset;
generating a root dataset having a root keyset representative of the traffic signature;
identifying all existing child and sibling root datasets of the root dataset;
generating all absent child and sibling root datasets of the root dataset; and
associating the child and sibling root datasets with the root dataset.
51. An intrusion detection system, comprising:
logic encoded in computer-readable media;
the logic operable to store data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset and further operable to identify a child dataset for a root dataset through the root dataset; and
the logic further operable to retrieve data for processing of a traffic signature by searching a data storage system including the datasets for an existing root dataset corresponding to the traffic signature and to identify all child datasets, sibling root datasets and child datasets of the root dataset and the sibling root dataset through the root dataset.
52. A system for maintaining data on network activity for an intrusion detection system, comprising:
means for storing data representative of network activity in datasets, the datasets including root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than a root keyset;
means for identifying a child dataset of a root dataset through the root dataset;
means for receiving a traffic signature not having a root dataset;
means for generating a root dataset having a root keyset representative of the traffic signature;
means for identifying all existing child and sibling root datasets of the root dataset;
means for generating absent child and sibling root datasets of the root dataset; and
means for associating the child and sibling root datasets of the root dataset with the root dataset.
47. A method for maintaining data on Internet Protocol (IP) traffic for an intrusion detection system, comprising:
storing data representative of network activity in datasets, the datasets including root datasets each having a quad keyset comprising a source address key, a source port key, a destination address key and a destination port key and child datasets each having a dual keyset with a key combination derived from and less granular than a quad keyset of a root dataset;
storing pointers for each root dataset, the pointers each identifying a child dataset having a dual keyset derived from the quad keyset of the root dataset and a sibling root dataset having a quad keyset a reverse of the quad keyset of the root dataset; and
retrieving data for processing of a traffic signature by performing a single search for a root dataset having a quad keyset corresponding to the traffic signature and identifying relevant child and sibling root datasets through the pointers of the root dataset.
2. The method of
3. The method of
4. The method of
5. The method of
7. The method of
8. The method of
9. The method of
11. The method of
12. The method of
14. The method of
16. The method of
17. The method of
receiving a traffic signature not having a root dataset;
generating a root dataset having a root keyset representative of the traffic signature;
identifying all existing child and sibling root datasets of the root dataset;
generating all absent child and sibling root datasets of the root dataset; and
associating the child and sibling root datasets with the root dataset.
18. The method of
19. The method of
20. The method of
22. The intrusion detection system of
23. The intrusion detection system of
24. The intrusion detection system of
25. The intrusion detection system of
26. The intrusion detection system of
27. The intrusion detection system of
28. The intrusion detection system of
29. The intrusion detection system of
31. The intrusion detection system of
32. The intrusion detection system of
33. The intrusion detection system of
34. The intrusion detection system of
36. The intrusion detection system of
37. The intrusion detection system of
38. The intrusion detection system of
40. The system of
41. The system of
42. The system of
43. The system of
44. The system of
means for receiving a traffic signature not having a root dataset;
means for generating a root dataset having a root keyset representative of the traffic signature;
means for identifying all existing child and sibling root datasets of the root dataset;
means for generating absent child and sibling root datasets of the root dataset; and
means for associating the child and sibling root datasets of the root dataset with the root dataset.
45. The system of
46. The system of
means for retrieving data for processing of a traffic signature by searching a data storage system for an existing root dataset having a root keyset corresponding to the traffic signature; and
means for identifying all child datasets, sibling root datasets, and child datasets of the root dataset through the root dataset.
48. The method of
|
This invention relates generally to the field of intrusion detection, and more particularly to a method and system for maintaining network activity data for intrusion detection.
Computer networks have become an increasingly important means for communicating public and private information between and within distributed locations. The Internet is one example of a public network commonly used for communicating public and private information. Internet web servers provide access to public information such as news, business information and government information which the Internet makes readily available around the world. The Internet is also becoming a popular form for business transactions, including securities transactions and sales of goods and services.
A large number of people have come to depend upon reliable Internet access and secure communications on a day-by-day and even second-by-second basis. Like the Internet, private networks also have become a common means for communicating important information. Private networks such as company intranets, local area networks (LANs), and wide area networks (WANs), generally limit access on a user-by-user basis and communicate data over dedicated lines or by controlling access through passwords, encryption, or other security measures.
One danger to reliable and secure network communications is posed by hackers or other unauthorized users disrupting or interfering with network resources. The danger posed by unauthorized access to computer network resources can vary from simple embarrassment to substantial financial losses. For example, serious financial disruptions occur when hackers obtain financial account information or credit card information and use that information to misappropriate funds.
Intrusion detection systems are commonly used to detect and identify unauthorized use of a computer network before network resources and information are substantially disrupted or violated. In general, intrusion detection systems track address data for traffic on the network. This data is organized into keysets representing attack profiles and is continually updated and accessed to identify potential attacks on the network.
Current methods for retrieving intrusion detection data search the data for each keyset relevant to the traffic being monitored. In the case of Internet Protocol (IP) traffic, this means that each packet monitored on the network generates from four to six searches of the data, which is detrimental to the overall performance of the intrusion detection system.
The present invention provides a method and a system for maintaining network activity data for intrusion detection that substantially eliminate or reduce disadvantages and problems associated with previous methods and systems. In particular, the present invention indexes network activity data to allow intrusion detection to be performed using a reduced number of data searches.
In accordance with one embodiment of the present invention, a method and system for maintaining network activity data for an intrusion detection system includes storing data representative of network activity in datasets. The datasets include root datasets each having a root keyset and child datasets each having a child keyset with a key combination derived from and less granular than the root keyset. Child datasets are identified through their root datasets.
More specifically, in accordance with a particular embodiment of the present invention, all child datasets of a root dataset may be identified through the root dataset. In this and other embodiments, the child datasets may be identified by pointers from the root dataset to the child dataset. Root datasets may also identify a sibling root dataset with the sibling root dataset identifying all of its child datasets.
Technical advantages of the present invention include providing an improved method and system for maintaining network activity data for intrusion detection. In a particular embodiment, network activity is represented by datasets with each root dataset identifying its child datasets. The root and child datasets relevant to a particular item of network traffic are found and/or generated and then associated with each other upon the first occurrence of the network traffic. As a result, the number of searches is reduced with only one search being required upon the reoccurrence of the network traffic and/or an occurrence of related network traffic.
Another technical advantage of one or more embodiments of the present invention includes providing an improved intrusion detection system. In particular, the intrusion detection system can process traffic efficiently through a search reduction algorithm for queries into intrusion detection data that has a subset/superset relationship. As a result, the system can monitor additional traffic or an equal amount of traffic with reduced resources to efficiently detect attacks.
Still another technical advantage of one or more embodiments of the present invention includes providing an improved method and system for removing outdated data from an intrusion detection system. In particular, child datasets are linked with root datasets and allowed to expire only when they are no longer needed. Outdated datasets no longer in use are automatically eliminated. Accordingly, the amount of data that must be maintained by the system is reduced without degenerating the system.
Other technical advantages will be readily apparent to one skilled in the art from the following figures, description and claims.
For a more complete understanding of the present invention and its advantages, reference is now made to the following description taken in conjunction with the accompanying drawings, wherein like numerals represent like parts, in which:
Referring to
The private network 12 includes a plurality of hosts 24 connected by an internal network of links 20. The network is a local area network (LAN), a wide area network (WAN), or other suitable connection of wireline or wireless links 20, capable of communicating data between the hosts 24. For the local area network embodiment, the network may be an Ethernet.
The public network 14 includes a plurality of hosts 26 connected to the Internet 22 by wireline or wireless links 28. Through the Internet 22, the host 26 may access one another and access the hosts 24 in the private network 12. In the IP embodiment, the hosts 24 and 26 each include an IP address uniquely identifying the host within its network.
The hosts 24 and 26 are each a computer such as a personal computer, file server, workstation, minicomputer, mainframe, or any general purpose or other computer or device capable of communicating with other computers or devices over a network. The hosts 24 and 26 include input/output (I/O) interfaces for communicating over the network, general purpose and/or application specific integrated circuit (ASIC), field programmable gate array (FPGA) or other suitable specific purpose processors, and memory for storing programs and other suitable operating instructions.
The hosts 24 operating on the border between the intranet 20 and the Internet 22 each include an intrusion detection system 30. As used herein, each means every one of at least a subset of the identified items. The intrusion detection system 30 tracks data based on source and destination relationships of the traffic to identify attacks on the private network 12. For the IP embodiment, the intrusion detection system 30 tracks relationships described by the source address, source port, destination address and destination port of the IP packets.
Referring to
The packet analysis engine 32 reads routing information, or packet data, from monitored packets processed by a host 24. In the IP embodiment, the packets are sent between the hosts 24 and 26 in the transmission control protocol/internet protocol (TCP/IP) format. In the TCP/IP format, the signatures identify the source and destination for the payload information contained in the packet. In particular, each IP packet contains a source IP address, a source port, a destination IP address and a destination port. The packet analysis engine 32 stores representations of this information which may include the information itself, in the database 36 and retrieves information about previous relevant network activity to process the signature.
The packet analysis engine 32 includes a sensor 40 that identifies attacks on host 24 within the private network 12. In particular, the sensor 40 processes each signature using network activity data retrieved in the database 36 to determine whether the signature may be part of an attack. When the sensor 40 identifies an attack, the intrusion detection system 30 notifies the host 24 which may inform a network operator of the attack, block traffic associated with the attack and/or take other suitable action.
The search engine 34 accesses the database 36 in response to requests by the packet analysis engine 32 to identify and/or retrieve network activity data associated with a signature processed by the packet analysis engine 32. In the IP embodiment, the search engine 34 searches the database 36 based on the source IP address, source port, destination IP address and destination port of the signature to identify the location of network activity data relevant to the signature. The location of the data or the data itself is passed to the packet analysis engine 32 for retrieval and/or processing of the data in connection with the signature.
The database 36 stores network activity data in datasets 50. In one embodiment, the database 36 includes a plurality of datasets 50 each including a keyset 52 and information indicative of network activity corresponding to the keyset 52. In the IP embodiment, the keysets include source IP address, source port, destination IP address and/or destination port key combinations.
The datasets 50 include root datasets 54 and child datasets 56. The root datasets 54 include root keysets 58 while the child datasets 56 include child keysets 60. The root and child keysets 58 and 60 have a superset/subset relationship with the child keysets 60 having a key combination derived from and less granular than the root keysets 58. In one embodiment, the root keysets 58 are stream based keysets identifying a specific connection. The child keysets are host-to-host and other keysets identifying part of a connection. Accordingly, each child keyset 60 includes a key combination derived from one or more root keysets 58. Two or more root datasets 50 may form sibling datasets 50 having root keysets 58 with reverse representations of a connection, and thus each other.
The root datasets 54 each identify relevant child datasets 56. Relevant child datasets 56 are datasets having child keysets 60 with a combination of keys derived from the root keyset 58 of the root dataset 54 and used by the packet analysis engine 32 to process signatures for intrusion detection. In a particular embodiment, the root datasets 54 include pointers from the root dataset 54 to each relevant child dataset 56. This allows data for the relevant child datasets 56 to be identified through the root datasets 54 and reduces the number of searches of the database 36 by the search engine 34. Accordingly, signatures are more efficiently processed by the packet analysis engine 32. It will be understood that child datasets 56 may be otherwise suitably identified by and/or through root datasets 54 to which they relate.
The database controller 38 controls generation and termination, or expiration, of datasets 50 in the database 36. In one embodiment, the database controller 38 includes a dataset generator 60 and a dataset terminator 62. The dataset generator 62 automatically generates datasets 50 absent from a database 36 and relevant to a signature processed by the packet analysis engine 32. In this embodiment, the dataset generator generates and manages the pointers. In a particular embodiment, the number of pointers maintained by or for any element is fixed in size and pointer management overhead is felt only during initial generation and/or association of a child dataset with a root dataset.
The dataset terminator 62 automatically terminates outdated datasets 50 including root datasets 54 at the end of a corresponding session and child datasets 56 no longer having any root datasets 54. In a particular embodiment, the child datasets 56 include a counter 64 indicating the number of root datasets 54 to which they correspond. Upon generation of a related dataset 54, the counter 64 is incremented by 1 and upon termination of a related root dataset 54, the counter 64 is decremented by 1 such that the counter is decremented to a value of zero upon all related root datasets 54 being terminated or being readied for termination from the database 36. The counter value is a termination status indicator with child datasets 56 having a value of zero being automatically deleted. Thus, outdated child datasets 56 are automatically removed from the database 36. It will be understood that data may be otherwise inserted into and/or removed from the database 36 without departing from the scope of the present invention.
Referring to
The activity counter 104 includes a counter or other suitable indication of a number of occurrences of traffic corresponding to the root keyset 102. The activity counter 104 is incremented each time traffic corresponding to the root keyset is received and decremented as the data is aged and/or reset after a particular session, in which case attacks are identified on a session-by-session basis. The value of the activity counter 104 is used by the sensor 40 to determine whether an activity threshold has been exceeded and an attack is or may be underway.
The pointers 106, 108, 110 and 112 point from the root dataset 54 to child datasets 56 and to sibling root datasets having a reverse root keyset 102. Accordingly, data for the child datasets 56 and sibling datasets are identified by the root dataset 54.
The termination status 114 indicates whether the root dataset 54 can be terminated. In one embodiment, the root dataset 54 is only terminated when both it and its sibling root dataset are outdated. In this embodiment, the root and sibling datasets may be outdated at the end of a session to which they correspond or when the activity counter 104 indicates that the datasets are empty. Thus, sibling datasets are only terminated when they are as a group outdated and no longer in use.
Referring to
The activity counter 144 includes a counter or other suitable indication of a number of occurrences of traffic corresponding to the child keyset 142. As discussed in connection with activity counter 104, the value of the activity counter 144 is incremented and decremented, aged or reset and is used by the sensor 40 to determine whether an activity threshold has been exceeded and an attack is underway.
The root counter 146 identifies a number of root datasets 54 to which a child dataset 56 is relevant. This number is incremented each time a root dataset 54 relevant to the child dataset 56 is added to the database 36 and decremented each time a root dataset 54 relevant to the child dataset 56 is removed from the database 36. Thus, the child dataset 56 is internally aware of a number of root datasets 54 to which it relates. Upon termination of all relevant root datasets 54, the root counter 146 is decremented to zero, indicating that the child dataset 56 is no longer needed and can be automatically deleted from the database 36. In this way, outdated datasets are automatically removed from the database 36.
Referring to
Keyset “AaBb” is a root keyset 58 having child keysets 60 “AxBx,” “xxBb,” and “Axxb,” where “x” denotes an open key not specifying information. To identify datasets 56 for the child keysets 60, the dataset 54 for the root keyset “AaBb” includes pointers 180 from the root dataset 54 to each of the child datasets 56 containing the keysets 60.
The root datasets 54 for keyset “AaBb” also includes a pointer to its sibling dataset 54 having a root keyset 58 with a reverse representation “BbAa.” Similar to the root dataset 54 for keyset “AaBb,” the sibling dataset 54 for root keyset “BbAa” includes pointers to child datasets 56 with child keysets “BxAx,” “xxAa,” and “Bxxa.” In a particular embodiment, host-to-host child keysets “AxBx” and “BxAx” include pointers to one another to facilitate identification.
Sorting of network activity data into the root and child keysets allows different types of intrusion attacks to be recognized by the intrusion detection system 30. For example, in a web-based attack, the attacker passes through a specific web application. Accordingly, these types of attacks will have the same stream based information and are detectable through data tracked in connection with the root keysets “AaBb” and “BbAa.”
For straight machine attacks, one machine attacks or attempts to hack into another machine. In this type of attack, the source and destination addresses will stay the same, but the source and destination ports may vary. Accordingly, these types of attacks are identifiable by data tracking in connection with child keysets “AxBx” and “BxAx.” For multiple-host attacks, the attaching host will vary while the attack host and application remain the same. Child keysets “xxBb” and “xxAa” will detect this type of attack. Child keysets “Axxb” and “Bxxa” will detect attacks from a specific host to a specific network port. By indexing data for the keysets based on their superset/subset relationship, all data relevant to processing a signature for intrusion detection can be retrieved from the database 36 from a single or reduced number of searches. Thus, a signature can be evaluated for all tracked attack profiles based on a single search of the database 36.
Proceeding to step 202, the database 36 containing network activity data is searched for a root keyset 58 and/or a root dataset 54 containing the root keyset 58 corresponding to the signature. For the IP embodiment, the root keyset 58 comprises the source IP address, source port, destination IP address and destination port. Next, at decisional step 204, the search engine 34 determines whether a root dataset 54 for the root keyset 58 exists in the database 36. If the root keyset 58 does not exist, the No branch of decisional step 204 leads to step 206.
At step 206, the root dataset 54 including the root keyset 58 is generated by the database controller 38. At step 208, the search engine 34 searches the network activity data in the database 36 for a sibling keyset 58 and/or a root dataset 54 containing the sibling keyset 58 having a reverse representation from the root keyset 58.
At decisional step 210, the search engine 34 determines whether the sibling keyset 58 exists. If the sibling keyset 58 does not exist, the No branch of decisional step 210 leads to step 212. At step 212, the database controller 38 generates a root dataset 54 including the sibling keyset 58. Step 212 leads to step 214. Returning to decisional step 210, if the sibling keyset 58 exist in the database 36, the Yes branch of decisional step 210 also leads to step 214.
At step 214, the search engine 34 searches network activity data in the database 36 for child keysets 60 and/or child datasets 56 containing child keysets 60. Next, a decisional step 216, the search engine 34 determines whether all relevant child keysets 60 exist in the database 36 for the root keyset 58. If all child keysets 60 do not exist, the No branch of decisional step 216 leads to step 218 in which child datasets 56 including the absent child keysets 60 are generated. Step 218 leads to step 220. Returning to decisional step 216, if all child keysets 60 exist, the Yes branch of decisional step 216 also leads to step 220. Thus, all sibling and child datasets 54 and 56 with keysets relevant to a root keyset 58 are identified and/or generated upon the generation of the root dataset 54.
At step 220, the root, sibling and child keysets 58 and 60 are associated with each other through their datasets 54 and 56 to allow the sibling and child keysets 58 and 60 to be identified through the dataset 54 for the root keyset 58. In one embodiment, the root, sibling and child keysets 58 and 60 are associated with each another by storing pointers with the root dataset 54 to each of the child and sibling datasets 54 and 56. Accordingly, using the root dataset 54, all network activity data relevant to a signature may be identified and retrieved from the database 36.
Returning to decisional step 204, if the root keyset 58 exists, then all relevant sibling and child datasets 54 and 56 exist and have been previously associated with the root dataset. Accordingly, the Yes branch of decisional step 204, as well as step 220, lead to step 222 in which the root dataset 54 is identified. Next, at step 224, sibling and child datasets 54 and 56 relevant to the signature are identified from the root dataset 54.
At step 226, network activity data is retrieved from the root, sibling and child datasets 54 and 56 for processing of the signature. At step 228, the retrieved data is compared to intrusion detection thresholds by the sensor 40. At decisional step 230, the sensor 40 determines whether an attack is or may be underway. An attack may be underway if network activity data associated with the signature exceeds predefined thresholds. In this event, the Yes branch of decisional step 230 leads to step 232 in which an alarm is generated to notify a network operator of the attack or to block the attack. Step 232 leads to the end of the process.
Returning to decisional step 230, if no attack is detected, the No branch of decisional step 230 also leads to the end of the process. Thus, network activity data used to process a signature for intrusion detection is retrieved from a database with a single database search. As a result, the intrusion detection system 30 can process traffic faster and/or with reduced resources through more efficient searches.
Proceeding to step 254, the database controller 38 determines a termination status of the sibling dataset 54 from its termination status 114. Next, at decisional step 256, the dataset terminator 62 for the database controller 38 determines whether the sibling is ready for termination based on the termination status 114. The sibling dataset is ready for termination if its termination status 114 indicates that it is ready for termination and not ready for termination if its termination status 114 indicates that it is not ready for termination.
At the decisional step 256, if the sibling dataset 54 is not ready for termination, then the root dataset 54 is maintained for signature processing in connection with the sibling dataset 54 and the No branch of decisional step 256 leads to the end of the process. If the sibling is ready for termination, then the root and sibling datasets 54 may be terminated and the Yes branch of decisional step 256 leads to step 258 in which the sibling dataset 54 is terminated. Child datasets 56 for the sibling dataset 54 are terminated as described below in connection with the root dataset 54.
Next, at step 260, all child datasets 56 related to the root dataset 54 and having no other root datasets are terminated. In one embodiment, the child datasets 56 each include the root counter 146 indicating the number of relevant root datasets in the database 36. Each time a root dataset 54 is terminated, the counter for all relevant child datasets 56 is decremented such that the counter is zeroed out or reaches another suitable predefined value to indicate that the child dataset 56 is no longer needed. In this embodiment, all child datasets 56 having a root counter value of zero are automatically deleted from the database 36. It will be understood that the child datasets 56 may be otherwise suitably deleted from the database 36 without departing from the scope of the present invention.
Next, at step 262, the root dataset 54 is terminated from the database 56. Thus, the root, sibling and all child datasets 56 relevant only to the root dataset 54 are deleted from the database 36 at the end of the corresponding data session or when otherwise outdated. Step 262 leads to the end of the process by which unneeded datasets 50 are automatically deleted to minimize the amount of data that must be searched and the cost of maintaining intrusion detection data.
Although the present invention has been described with several embodiments, various changes and modifications may be suggested to one skilled in the art. It is intended that the present invention encompass such changes and modifications as fall within the scope of the appended claims.
Wiley, Kevin L., Lathem, Gerald S., Hall, Jr., Michael L.
Patent | Priority | Assignee | Title |
10027650, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing security |
10153906, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing computer security |
10454916, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing security |
10505956, | Jul 18 2013 | FireEye Security Holdings US LLC | System and method for detecting malicious links in electronic messages |
10601807, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for providing container security |
11057400, | Jun 29 2017 | Fujitsu Limited | Device and method for detecting attack in network |
7140041, | Apr 11 2002 | FINJAN BLUE, INC | Detecting dissemination of malicious programs |
7143444, | Nov 28 2001 | SRI International | Application-layer anomaly and misuse detection |
7269851, | Jan 07 2002 | McAfee, Inc | Managing malware protection upon a computer network |
7350234, | Jun 11 2001 | Research Triangle Institute | Intrusion tolerant communication networks and associated methods |
7464404, | May 20 2003 | TREND MICRO INCORPORATED | Method of responding to a truncated secure session attack |
8074277, | Jun 07 2004 | Check Point Software Technologies, Inc. | System and methodology for intrusion detection and prevention |
8370936, | Feb 08 2002 | Juniper Networks, Inc | Multi-method gateway-based network security systems and methods |
8478831, | Aug 26 2004 | International Business Machines Corporation | System, method and program to limit rate of transferring messages from suspected spammers |
8635695, | Feb 08 2002 | Juniper Networks, Inc. | Multi-method gateway-based network security systems and methods |
8676960, | Dec 03 2003 | RSA Security LLC | Network event capture and retention system |
8931099, | Jun 24 2005 | KYNDRYL, INC | System, method and program for identifying and preventing malicious intrusions |
9065804, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing security in a cloud computing environment |
9094372, | Feb 08 2002 | Juniper Networks, Inc. | Multi-method gateway-based network security systems and methods |
9124640, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing computer security |
9369493, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing security |
9401838, | Dec 03 2003 | RSA Security LLC | Network event capture and retention system |
9438470, | Dec 03 2003 | RSA Security LLC | Network event capture and retention system |
9497224, | Aug 09 2011 | FIDELIS SECURITY LLC; RUNWAY GROWTH FINANCE CORP | Systems and methods for implementing computer security |
9838416, | Jun 14 2004 | FireEye Security Holdings US LLC | System and method of detecting malicious content |
Patent | Priority | Assignee | Title |
5850516, | Dec 23 1996 | BT AMERICAS INC | Method and apparatus for analyzing information systems using stored tree database structures |
5991881, | Nov 08 1996 | RPX Corporation | Network surveillance system |
6072942, | Sep 18 1996 | McAfee, LLC | System and method of electronic mail filtering using interconnected nodes |
6249755, | May 25 1994 | VMWARE, INC | Apparatus and method for event correlation and problem reporting |
6400996, | Feb 01 1999 | Blanding Hovenweep, LLC; HOFFBERG FAMILY TRUST 1 | Adaptive pattern recognition based control system and method |
6647400, | Aug 30 1999 | Symantec Corporation | System and method for analyzing filesystems to detect intrusions |
6671818, | Nov 22 1999 | Accenture Global Services Limited | Problem isolation through translating and filtering events into a standard object format in a network based supply chain |
6779120, | Jan 07 2000 | JPMORGAN CHASE BANK, N A ; MORGAN STANLEY SENIOR FUNDING, INC | Declarative language for specifying a security policy |
6826697, | Aug 30 1999 | CA, INC | System and method for detecting buffer overflow attacks |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 19 2000 | LATHEM, GERALD S | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011401 | /0836 | |
Dec 19 2000 | HALL, MICHAEL L , JR | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011401 | /0836 | |
Dec 20 2000 | WILEY, KEVIN L | Cisco Technology, Inc | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 011401 | /0836 | |
Dec 21 2000 | Cisco Technology, Inc. | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Aug 21 2009 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 23 2013 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Sep 21 2017 | M1553: Payment of Maintenance Fee, 12th Year, Large Entity. |
Date | Maintenance Schedule |
Mar 21 2009 | 4 years fee payment window open |
Sep 21 2009 | 6 months grace period start (w surcharge) |
Mar 21 2010 | patent expiry (for year 4) |
Mar 21 2012 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 21 2013 | 8 years fee payment window open |
Sep 21 2013 | 6 months grace period start (w surcharge) |
Mar 21 2014 | patent expiry (for year 8) |
Mar 21 2016 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 21 2017 | 12 years fee payment window open |
Sep 21 2017 | 6 months grace period start (w surcharge) |
Mar 21 2018 | patent expiry (for year 12) |
Mar 21 2020 | 2 years to revive unintentionally abandoned end. (for year 12) |